public inbox for [email protected]
help / color / mirror / Atom feedFrom: John Barker <[email protected]>
To: Khushboo Vashi <[email protected]>
Cc: pgadmin-support lists.postgresql.org <[email protected]>
Subject: Re: Enforcing TLS 1.3 as a a minimum version
Date: Wed, 9 Apr 2025 10:26:38 -0400
Message-ID: <CA+7KU8rJsS1XtcAxX4PDMgRVLjYxwnL-7h+D2ZkJijpyRi0GhA@mail.gmail.com> (raw)
In-Reply-To: <CAFOhELcXgrRQE37+W+e3xabqjoYe-AzH5ewuELRErLXbA75LRg@mail.gmail.com>
References: <CA+7KU8pPEXm-EbY0nk3CwiMkM962AMapwghwSAu0QmThnkZoNQ@mail.gmail.com>
<CA+7KU8qGkLzzAFJHuJfCe=jZuOG2ZHAWQvgv+oW+5m5ZBNAsOA@mail.gmail.com>
<CAFOhELeMYYFz8vpBpd7DKtjW10THuv22WZ6NiYUZTZZ634MaQw@mail.gmail.com>
<CA+7KU8oww0yJ2uFVyfBaYPFEBw=qCLcJmZ3OCY_mqNwzSVbZsg@mail.gmail.com>
<CAFOhELcXgrRQE37+W+e3xabqjoYe-AzH5ewuELRErLXbA75LRg@mail.gmail.com>
What is the output of `curl -v <pgadmin_url>` ?
The curl connects successfully but gives no information:
curl: (52) Empty reply from server.
On Tue, Apr 8, 2025 at 11:38 PM Khushboo Vashi <
[email protected]> wrote:
> [...Looping pgAdmin-Support]
>
> On Tue, Apr 8, 2025 at 9:19 PM John Barker <[email protected]> wrote:
>
>> Hello,
>>
>> I am on a closed network so I can't copy my files and have to retype
>> them. I have verified that the file below is being parsed when the
>> container starts. My config.py is default as shipped with the
>> container. I was previously able to get this to work with pgAdmin 8.6
>> and TLS 1.2 (no ssl_context required) before the requirement to upgrade
>> to pgAdmin 9.1 and TLS 1.3 (using ssl_context).
>>
>> I include PGADMIN_ENABLE_TLS: true in my podman compose file as well as
>> my certs which are valid. There are no errors at startup in the container
>> logs.
>>
>> Here are the total contents of gunicorn_config.py
>>
>> ********* BEGIN ********************
>> import gunicorn
>> gunicorn.SERVER_SOFTWARE = 'Python'
>> conf = '/pgadmin4/config.py'
>>
>> #ssl_version = 'TLSv1_2' -- working 8.6 setting
>> #ciphers = 'ECDHE-RSA-AES256-GCM-SHA383:!aNull' -- working 8.6
>> setting
>>
>> def ssl_context(conf, default_ssl_context_factory):
>> import ssl
>> context = default_ssl_context_factory()
>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>> return context
>>
>> ******* EOF **************
>>
>> This code looks fine.
>
>> I test TLS version using openssl like this:
>>
>> # openssl s_client -showcerts -tls1_2 -connect hostname:port
>>
>> What is the output of `curl -v <pgadmin_url>` ?
>
>> The above command gets a valid response with a TLS 1.2 handshake using a cipher of ECDHE-RSA-AES256-GCM-SHA383. I would expect this not to work.
>>
>> Thanks, John
>>
>> On Tue, Apr 8, 2025 at 7:10 AM Khushboo Vashi <
>> [email protected]> wrote:
>>
>>> Hi,
>>>
>>> On Tue, Apr 8, 2025 at 12:00 AM John Barker <[email protected]>
>>> wrote:
>>>
>>>>
>>>> I am running pgAdmin 9.1 in a podman container and am trying to ensure
>>>> that TLS 1.3 is the minimum version. I have created an override file and
>>>> I know that it is being read at startup but the enforcement of TLS 1.3 is
>>>> not happening. I am using this configuration as suggested by the
>>>> documentation here: https://docs.gunicorn.org/en/21.2.0/settings.html
>>>>
>>>> Any idea of what to check. I know the file is being parsed because if
>>>> I introduce a bad config, it is noted at startup.
>>>>
>>>> Also, where or how is the instance variable for the config defined?
>>>>
>>>> "The callable needs to accept an instance variable for the Config"
>>>>
>>>
>>> Can you please share your gunicorn_config.py file?
>>> The code looks good to me, and you said that you mapped the correct
>>> Gunicorn config file from the container.
>>> Also, what testing have you done to check whether the TLS version is
>>> enforced or not?
>>>
>>>>
>>>> The below is a file mapped into the container called gunicorn_config.py
>>>>
>>>> def ssl_context(conf, default_ssl_context_factory):
>>>> import ssl
>>>> context = default_ssl_context_factory()
>>>> context.minimum_version = ssl.TLSVersion.TLSv1_3
>>>> return context
>>>>
>>>>
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Enforcing TLS 1.3 as a a minimum version
In-Reply-To: <CA+7KU8rJsS1XtcAxX4PDMgRVLjYxwnL-7h+D2ZkJijpyRi0GhA@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox